Wendy’s data breach is a wake-up call

Jacob Luecke

2 years ago

By Clayton Hicklin

With data security, everything old is new again.

That’s a key takeaway from the recent news of a malware-driven credit card breach at more than 1,000 Wendy’s fast-food restaurants, a situation that offers a roadmap for small and midsized companies seeking to improve cyber-preparedness.

From what has been released about the attack, we understand that the Wendy’s breach was the result of social engineering. This is a common cyber-attack vector; in this case, it involved bad actors using a phishing email to steal user credentials from a Wendy’s vendor. This is the same type of attack that was used to infiltrate systems at Target in 2013. The approach is not new.

Clayton Hicklin is the director of business innovation at Huber & Associates

Most significant in this new breach were the layers of security the attackers were able to successfully penetrate. They got in using credentials illicitly obtained from an external third party. Once they were inside, those vendor credentials gave them access to point-of-sale systems, some of the highest-value data a company owns. But the breach went beyond access. These same credentials let criminals install malware and extract and distribute data externally.

Other companies are not immune from this type of attack. To minimize risk, start with securing your company’s digital front door. That means using what’s called multifactor authentication, user credentials that require both something you know, like a user name/password pair, and something you have, such as a key fob.

Once users are inside the network, segmentation ensures they can access only systems needed to do their jobs. For example, a produce vendor or janitorial crew shouldn’t even be allowed to knock on the point-of-sale door. And well-maintained security patches and restrictive tools can prohibit unauthorized people from installing malware on or extracting data from private systems.

With today’s hackers being able to compromise huge international companies like Wendy’s and Yahoo, it must seem like all hope is lost for small businesses seeking to protect their data. However, these companies can take a number of proactive steps to achieve a high level of confidence that their systems are secure.

For example, if nonemployees routinely access your systems, you can start by reviewing your data security policy to confirm who has access to what through which devices and how often credentials are changed. Also, ask your IT hardware and software vendors about security patch maintenance.

Cyber-risks differ by organization, but the issues aren’t going away.

A cybersecurity assessment is the best way to uncover your company’s unique security holes so you can create a plan to plug them.